3 Answers
3

if the website is compromised, then you could download malware onto your machine

if you click on a malicious link in the user submitted comments, bad things may happen

if you click on a malicious advert (can happen, see Danny's comment below), bad things may happen

None of these are really about YouTube or Google - they are general website risks.

That said, google are generally good at finding and fixing vulnerabilities and flaws. They even pay people who point out bugs. So YouTube may be a lower risk than some other sites. It is a nice target, though, as attackers will see the number of visitors as a potential goldmine.

You can protect yourself by keeping your browser up to date, and using valid codecs (ie don't install custom video codecs that may have come from a dodgy site - they could subvert the video stream into doing something malicious)

+1 for codec comment, that would never have occurred to me.
–
lynksFeb 1 '13 at 16:48

2

Note that Google hosts an insane number of ads, and sometimes malicious ads slip by. It's happened several times in the past (see the links in the last paragraph)
–
BlueRaja - Danny PflughoeftFeb 1 '13 at 18:55

If you worry about the health of your computer instead of your own, then Youtube is, by itself, a rather low risk arena since Google has a huge vested interest in things staying that way. However, don't click on links which are in the videos or in comments, because they can send you anywhere, out of reach of the Google Police. Youtube is full of links and the average human user has trouble refraining from clicking when presented with a video of cute kittens and a promise of more at the other end of a simple mouse click. As usual, the biggest weakness is what lies between the keyboard and the chair.

If Youtube has a persistent XSS vulnerability(or an non-persistent one but that requires some user interaction which is to click the malformed url), then yes, you do have the chance of getting infected as an attacker can simply embed a 1x1 iframe which will link to his java driveby malware. Of course, if you clicked any links that are posted by the users, you may have the chance of visiting a site that contains a java driveby malware.

Prevention that can be done on Youtube's side is of course to patch up the vulnerabilities and maybe to enforce a check on the links that the users post to prevent users from accessing a potentially malicious url.

Prevention that can be done on your side would be to disable Java or update your Java to the latest version(It really depends on you, some needs it but some don't). Another way would be to install a plugin that can block malicious java driveby such as NoScript and of course, update your browser.